b'                                                                             Report No. DODIG-2013-115\n\n\n\n\n              I nspec tor Ge ne ral\n                                                       Department of Defense\n\n              AUGUST 7, 2013\n\n\n\n\n                     The Navy\xe2\x80\x99s Management\n                     of Software Licenses\n                     Needs Improvement\n\n\n\n\nI N T E G R I T Y \xef\x82\xab E F F I C I E N C Y \xef\x82\xab A C C O U N TA B I L I T Y \xef\x82\xab E X C E L L E N C E\n\x0c           I N T E G R I T Y \xef\x82\xab E F F I C I E N C Y \xef\x82\xab A C C O U N TA B I L I T Y \xef\x82\xab E X C E L L E N C E\n\n\n\n\n                                              Mission\n            Our mission is to provide independent, relevant, and timely\n            oversight of the Department of Defense that: supports the\n            warfighter; promotes accountability, integrity, and efficiency;\n            advises the Secretary of Defense and Congress; and informs\n                                                the public.\n\n\n                                                Vision\n            Our vision is to be a model oversight organization in the federal\n            government by leading change, speaking truth, and promoting\n            excellence; a diverse organization, working together as one\n                 professional team, recognized as leaders in our field.\n\n\n\n\n                            Fraud, Waste and Abuse\n                           HOTLINE\n                           1.800.424.9098 \xe2\x80\xa2 www.dodig.mil/hotline\n\n\n\n\nFor more information about the whistleblower protection, please see the inside back cover.\n\x0c                                                FOR OFFICIAL USE ONLY\n\n\n                                   Results in Brief\n                                   The Navy\xe2\x80\x99s Management of Software Licenses\n                                   Needs Improvement\n\n\n\nAugust 7, 2013                                         Findings Continued\n\nObjective                                              necessary training to gain the specialized knowledge needed\n                                                       to write software license contracts or review EULAs properly.\nOur objective was to determine whether the             As a result, the DON increased the risk of wasteful spending,\nDepartment of the Navy (DON) effectively managed       disruption to Government operations, and vulnerability to\nsoftware licenses. Specifically, we determined         lawsuits, claims, and penalties.\nwhether the DON included appropriate clauses\nin software license contracts.     We reviewed\n1\xc2\xa0 Enterprise Licensing Agreement (ELA), 13\xc2\xa0 non-      Recommendations\nELAs, and the associated End User License              We recommend that the Assistant Secretary of the Navy (Research,\nAgreements (EULAs) to determine if the contracts       Development, and Acquisition) (ASN[RDA]) require all DON\nincluded desirable language in accordance with         contracting personnel involved in preparing and issuing software\nthe DoD Enterprise Software Initiative approved        license contracts to take specialized training on using appropriate\nsoftware licensing training.                           language in software acquisition contracts.\n\n\nFindings                                               We recommend that the DON Chief Information Officer (CIO):\n\nOverall, the DON made progress toward                     \xe2\x80\xa2\t require personnel to include favorable language expressed\nthe mandated use of DON ELAs by issuing                      in warranty and embedded third-party software sections of\na $700\xc2\xa0 million ELA for Microsoft software.                  the software licensing training when preparing ELAs for the\nHowever, the ELA included unacceptable                       remaining software on DONs proposed list; and\nlanguage in 2 of the 11 best practice areas we\n                                                          \xe2\x80\xa2\t issue a memo identifying the types of training available for\nidentified in software licensing training.\n                                                             determining the appropriate language needed to include and\n                                                             avoid in software license contracts.\nIn addition, the DON non-ELA software license\ncontracts reviewed, valued at $8.1 million,\nincluded unacceptable language for contract            Management Comments and\nclauses in 7 of the 11 areas of concern listed in      Our Responses\nthe software licensing training. Furthermore,\n                                                       The Executive Director for the Deputy Assistant Secretary\n8 of the 13 DON contracting officers accepted\n                                                       of the Navy for Acquisition and Policy, responding for\nEULAs containing unacceptable language.\n                                                       ASN(RDA), comments were responsive for both recommendations.\nThis occurred because no established                   The DON CIO comments were responsive to two of three and\nrequirements existed to guide contracting              partially responsive to one of three of the recommendations. We\npersonnel in making a determination on                 request that the DON CIO provide revised comments to the final by\nwhether to include specific clause language in         September 9, 2013. Please see the Recommendations Table on the\nsoftware license contracts. Furthermore, 11 of         back of this page.\nthe 13 contracting officers did not receive the\n\nVisit us on the web at www.dodig.mil\n\n                                                                           DODIG-2013-115 (Project No. D2012-D000LB-0177.000) \xe2\x94\x82 i\n\x0c                   Recommendations Table\n                                                                 Recommendations       No Additional\n                                    Management                   Requiring Comment   Comments Required\n                    Assistant Secretary of the Navy (Research,                            1.a, 1.b\n                    Development, and Acquisition)\n                    Department of the Navy                              2.c               2.a, 2.b\n                    Chief Information Officer\n                    *Please provide comments by September 9, 2013.\n\n\n\n\nii \xe2\x94\x82 DODIG-2013-115 (Project No. D2012-D000LB-0177.000)\n\x0c                               INSPECTOR GENERAL\n                              DEPARTMENT OF DEFENSE\n                              4800 MARK CENTER DRIVE\n                           ALEXANDRIA, VIRGINIA 22350-1500\n\n\n                                                                            August 7, 2013\n\nMEMORANDUM FOR DEPARTMENT OF THE NAVY ASSISTANT SECRETARY\n\t\t OF THE NAVY (RESEARCH, DEVELOPMENT, AND\n\t\tACQUISITION)\n\t              DEPARTMENT OF THE NAVY CHIEF INFORMATION\n\t\tOFFICER\n\nSUBJECT: The Navy\xe2\x80\x99s Management of Software Licenses Needs Improvement\n\t        (Report No. DODIG-2013-115)\n\nWe are providing this report for your review and comment. The Department of the Navy\nmade progress in its management of software licensing by issuing an Enterprise Licensing\nAgreement for Microsoft, which included best practice language for the acquisition\nof software licenses. However, the 13 non-Enterprise Licensing Agreement software\ncontracts we reviewed did not include desired best practice language. As a result, the\nDepartment of the Navy increased the potential of wasteful spending, disruption of\nGovernment operations, and vulnerability to lawsuits, claims, and penalties.\n\nWe considered management comments on a draft of this report when preparing the final\nreport. DoD Directive 7650.3 requires that recommendations be resolved promptly.\nThe Executive Director, Deputy Assistant Secretary of the Navy for Acquisition and\nProcurement comments for Recommendations 1.a and 1.b, responding for Assistant\nSecretary of the Navy (Research, Development and Acquisition) were responsive and no\nfurther comments are needed. The Department of the Navy Chief Information Officer also\nprovided comments that were responsive on Recommendations 2.a and 2.b; however,\ncomments on Recommendation 2.c were only partially responsive. Therefore, we request\nadditional comments on this recommendation by September 9, 2013.\n\nIf possible, send a portable document format (.pdf) file containing your comments\nto audros@dodig.mil. Copies of your comments must have the actual signature of the\nauthorizing official for your organization. We are unable to accept the /Signed/ symbol\nin place of the actual signature. If you arrange to send classified comments electronically,\nyou must send them over the SECRET Internet Protocol Router Network (SIPRNET).\n\nWe appreciate the courtesies extended to the staff. Please direct questions to me\nat (703)\xc2\xa0604-8907 (DSN\xc2\xa0664-8907). If you desire, we will provide a formal briefing on\nthe results.\n\n\n\n\n\t                                              Alice F. Carey\n\t                                              Assistant Inspector General\n\t                                              Readiness, Operations, and Support\n\n\n\n                                                                                           DODIG-2013-115 \xe2\x94\x82 iii\n\x0c                  Contents\n                  Introduction______________________________________________________________________________1\n                  Objective__________________________________________________________________________________________1\n                  Background_______________________________________________________________________________________1\n                  DoD Software License Policy____________________________________________________________________2\n                  Review of Internal Controls _ ___________________________________________________________________4\n\n                  Finding_______________________________________________________________________________________5\n                  Improvement Needed in the Software Licensing Acquisition Process_______________________5\n                  Microsoft Enterprise Licensing Agreement Awarded to Reduce Costs______________________5\n                  Microsoft Enterprise Licensing Agreement Included Unacceptable Language_____________6\n                  Non-Enterprise Licensing Agreement Contracts\n                      Did Not Include Best Practice Clauses___________________________________________________8\n                  End User License Agreement Language Did Not Benefit DoD _____________________________ 10\n                  Clauses Specific to Software License Acquisitions Were Not Required____________________ 11\n                  Contracting Officers Did Not Receive and Were Often Unaware of\n                       Specific Training for Writing Software License Contracts ___________________________ 12\n                  Increased Risk of Wasteful Spending, Government Disruption,\n                       Software Vendor Claims and Other Related Disputes ________________________________ 14\n                  Management Comments on the Finding and Our Response________________________________ 15\n                  Recommendations, Management Comments, and Our Response__________________________ 15\n\n                  Appendix. Scope and Methodology_________________________________ 19\n                  Use of Computer-Processed Data ____________________________________________________________ 20\n                  Use of Technical Assistance___________________________________________________________________ 20\n                  Prior Coverage_ ________________________________________________________________________________ 20\n\n                  Management Comments_____________________________________________________ 21\n                  Deputy Assistant Secretary of the Navy for Acquisition and Procurement________________ 21\n                  Department of the Navy Chief Information Officer _________________________________________ 23\n\n                  Acronyms and Abbreviations______________________________________________ 26\n\n\n\n\niv \xe2\x94\x82 DODIG-2013-115\n\x0c                                                                                                                              Introduction\n\n\n\n\nIntroduction\nObjective\nThe overall objective of the audit was to determine whether the Navy was effectively\nmanaging software licenses. Specifically, we determined whether the Navy included\nappropriate clauses in software procurement contracts. We initially planned to review\nclauses along with how the Navy managed its inventory of software licenses. However,\nto provide more timely and relevant results to the Department of the Navy (DON), we\nnarrowed the focus to only appropriate clauses in software license contracts.\n\n\nBackground\nDuring the past 8 years, vendors have made claims against military Services because\nDoD did not include appropriate language in software contracts or because DoD\naccepted inappropriate terms in the vendor-prepared End User License Agreements\n(EULAs1). According to the Chief Knowledge Officer within the U.S. Army Acquisition\nSupport Center, when software contracts are not written carefully, the contract and EULA\nmay also violate the Federal Acquisition Regulation (FAR). The following are examples\nof problems encountered by DoD because of the lack of adequate clauses written in the\ncontract or inappropriate terms accepted in a EULA.\n\n            \xe2\x80\xa2\t In an instance involving Navy lease-to-own licenses for Oracle applications,\n                DLT Solutions, an Oracle reseller, sued the Army2 because the initial contract\n                included a non-substitution clause: \xe2\x80\x9cThe Government agrees not to replace\n                the equipment and/or software leased under this order with functionally\n                similar equipment and/or software.\xe2\x80\x9d The claim, including appeals, lasted\n                from 2004 until 2010, and resulted in a settlement with the Government\n                paying DLT\xc2\xa0Solutions $1.2 million. The DoD could have avoided the lawsuit\n                had it been aware of the clause in the contract that created this risk.\n\n            \xe2\x80\xa2\t According to U.S. Army Acquisition Support Center personnel, the Army had\n                to renegotiate a contract to avoid spending more than $40 million to\n                repurchase 80,000 user licenses at a cost of $500 per license. The licenses\n                were for troops deploying from home stations that already had licenses.\n                However, the Army did not initially include a \xe2\x80\x9cTimes of Conflict\xe2\x80\x9d clause that\n                would have prevented the Army from having to purchase new licenses for the\n                deployed\xc2\xa0troops.\n\n\t1\t\n    A EULA is the comprehensive license agreement between the Government and a publisher or reseller that lists the\n    end user\xe2\x80\x99s rights. Additional names for a EULA include but are not limited to Purchaser Use Rights, Software License\n    Agreement, or Software User Rights Agreement.\n\t2\t\n    The Army issued the contract for $6.9 million on behalf of the Navy.\n\n\n                                                                                                                           DODIG-2013-115 \xe2\x94\x82 1\n\x0cIntroduction\n\n\n\n                          \xe2\x80\xa2\t In 2011, a vendor contract contained language in the EULA that violated\n                               FAR\xc2\xa0 52-212-4, \xe2\x80\x9cContract Terms and Conditions\xe2\x80\x93Commercial Items.\xe2\x80\x9d\n                               Specifically, the EULA stated, \xe2\x80\x9cCustomer rights under the agreement will\n                               terminate immediately without notice from vendor if Customer fails to\n                               comply with any provisions of the Agreement.\xe2\x80\x9d This violates FAR 52-212-4,\n                               which requires a contractor to continue performance in the event of a dispute\n                               between the contractor and the Government.\n\n                 Software acquisition contracts that do not include appropriate language can also increase\n                 the risk of compromising sensitive DoD information. For example, when contracts do\n                 not include language that limits who can perform an audit of software the Government\n                 acquires, the contractor could have an audit performed by a third-party auditor who\n                 could access unauthorized sensitive Government information.\n\n                 The above examples underscore the need for contracting officers to include appropriate\n                 clause language in software acquisition contracts and to accept only EULAs that contain\n                 the appropriate language that will protect the Government\xe2\x80\x99s best interest.\n\n\n                 DoD Software License Policy\n                 The Defense Federal Acquisition Regulation Supplement (DFARS) 227.7202, \xe2\x80\x9cCommercial\n                 computer software and commercial computer software documentation,\xe2\x80\x9d states that\n                 commercial computer software shall be acquired under the licenses customarily provided\n                 to the public unless the licenses are inconsistent with Federal law or don\xe2\x80\x99t satisfy\n                 user\xc2\xa0needs.\n\n                 DFARS 208.7402, \xe2\x80\x9cGeneral,\xe2\x80\x9d also applies to all commercial software. The DFARS states that\n                 departments and agencies shall fulfill requirements for commercial software and related\n                 services, such as software maintenance, in accordance with the DoD Enterprise Software\n                 Initiative (ESI). This initiative includes the DoD ESI Software Buyers Checklist, which\n                 provides a standardized set of steps to follow when using the ESI\xe2\x80\x99s enterprise software\n                 agreements. The Software Buyers Checklist states that DoD information technology\n                 buyers reduce buying cycle time and risk by using ESI enterprise software agreements\n                 with enhanced terms and conditions that support many DoD objectives and industry\n                 best\xc2\xa0practices.\n\n                 The DoD ESI is an official DoD initiative sponsored by the DoD Chief Information Officer\n                 (CIO) to save time and money on commercial software, Information Technology (IT)\n                 hardware, and services. The DoD ESI\xe2\x80\x99s mission is to lead in the establishment and\n                 management of enterprise commercial off-the-shelf IT agreements, assets, and policies\n\n\n\n2 \xe2\x94\x82 DODIG-2013-115\n\x0c                                                                                                                                     Introduction\n\n\n\nfor the purpose of lowering total cost of ownership across the DoD, Coast Guard, and\nintelligence communities. The mission extends across the entire commercial IT life cycle,\nleveraging the DoD\xe2\x80\x99s combined buying power with commercial software publishers,\nhardware vendors, and service providers.\n\nThe Computer Hardware Enterprise Software and Solutions (CHESS) is the Army\xe2\x80\x99s\ndesignated \xe2\x80\x9cprimary source\xe2\x80\x9d for commercial IT.                               CHESS provides a no-fee, flexible\nprocurement strategy through which an Army user may procure commercial off-the-shelf\nIT hardware, software, and services via an e-commerce (IT e-mart). According to the\nProject Director of Enterprise Solutions Division, CHESS is also the Army\xe2\x80\x99s representative\nto the DoD ESI.\n\nIn 2009, the Army CHESS staff created a set of charts and briefings specifically dedicated\nto software issues shared with other DoD agencies and presented at several events as a\nportion of an overall CHESS briefing. The software licensing training developed into a\nstand-alone training in 2010. The DoD ESI also began working with a support contractor\nto keep the charts updated and provide more examples. Currently, the CHESS software\nlicensing training, titled \xe2\x80\x9cSoftware that Goes Bump in the Night Brief,\xe2\x80\x9d includes best\npractices for software licenses acquisition contracts. The same training is also provided\nthrough ESI, \xe2\x80\x9cSoftware Licensing Training: Acquiring Licenses in These Changing Times.\xe2\x80\x9d\n\nThe training presents the top 12 areas of concern with the most common issues identified\nin EULAs and contracts. Specifically, it gives the suggested DoD Software Buyer Checklist\nrequirements for 11 (excludes maintenance) of the areas and includes examples of\nacceptable and unacceptable language to look for in contracts and EULAs for each area.\nThe 11 specific areas are:\n\n            \xe2\x80\xa2\t warranty,\n\n            \xe2\x80\xa2\t transfer rights,\n\n            \xe2\x80\xa2\t third-party software,3\n\n            \xe2\x80\xa2\t audit rights,\n\n            \xe2\x80\xa2\t click wrap licenses,4\n\n            \xe2\x80\xa2\t automatic renewals,\n\n\n\t3\t\n    Software associated with a product that DoD purchases but is owned by a vendor other than the vendor DoD purchased\n    the product from.\n\t4\t\n    A statement or notice provided to software user from the vendor that states that by clicking accept, the user agrees to all\n    terms of the vendor\xe2\x80\x99s license agreement.\n\n\n\n\n                                                                                                                                  DODIG-2013-115 \xe2\x94\x82 3\n\x0cIntroduction\n\n\n\n                               \xe2\x80\xa2\t termination rights,\n\n                               \xe2\x80\xa2\t governing law,\n\n                               \xe2\x80\xa2\t order of precedence,\n\n                               \xe2\x80\xa2\t installation restrictions, and\n\n                               \xe2\x80\xa2\t virtualization.5\n\n                 In February 2012, DON issued a memorandum, \xe2\x80\x9cMandatory Use of Department of the\n                 Navy Enterprise Licensing Agreements,\xe2\x80\x9d which requires all DON organizations to make\n                 software licenses purchases using DON Enterprise Licensing Agreement (ELA)6 contracts\n                 when available. The memorandum also states that all DON organizations and programs\n                 can achieve maximum cost savings by using enterprise vehicles as the means of procuring\n                 software products.\n\n\n                 Review of Internal Controls\n                 DoD Instruction 5010.40, \xe2\x80\x9cManagers\xe2\x80\x99 Internal Control Program (MICP) Procedures,\xe2\x80\x9d\n                 July\xc2\xa0 29, 2010, requires DoD organizations to implement a comprehensive system of\n                 internal controls that provide reasonable assurance that programs are operating as\n                 intended and to evaluate the effectiveness of the controls. We identified an internal control\n                 weakness in the DON software license contracting process. Specifically, DON did not have\n                 requirements in place for contracting personnel to make a determination on whether to\n                 include specific clause language in software license contracts. Further, DON contracting\n                 personnel did not have the necessary training to gain the specialized knowledge to write\n                 software license contracts properly. We will provide a copy of the report to the senior\n                 official(s) responsible for internal controls in the DON.\n\n\n\n\n                 \t5\t\n                       Creation of a virtual (rather than an actual) version of something, such as an operating system or server.\n                 \t6\t\n                       An ELA is a contract document used to purchase software and contains the names and types of software as well as the\n                       amount the purchaser is allowed to spend toward the software for a given period of time.\n\n\n\n\n4 \xe2\x94\x82 DODIG-2013-115\n\x0c                                                                                                                                Finding\n\n\n\n\nFinding\nImprovement Needed in the Software Licensing\nAcquisition Process\nIn May 2012, the DON made progress toward the mandated use of DON ELAs by issuing\na $700 million ELA for Microsoft software. However, the ELA included unacceptable\nlanguage for embedded third-party software and warranty, which are 2 of the 11 areas of\nconcern with best practices identified in the DoD ESI approved software licensing training.\nIn addition, the 13 DON non-ELA software license contracts, valued at $8.1 million,\nincluded unacceptable language for contract clauses in 7 of the 11 areas of concern listed\nin the software licensing training. Furthermore, 8 of the 13 DON contracting officers\naccepted EULAs that contained unacceptable language such as inadequate warranty and\ntransfer rights that did not benefit the DoD.\n\nThis occurred because the DON had no established requirements for contracting\npersonnel to make a determination on whether to include specific clause language in\nsoftware license contracts. In addition, 11 of 13 contracting officers did not receive the\nnecessary training to gain the specialized knowledge needed to write software license\ncontracts or review EULAs properly. As a result, the DON increased risk of wasteful\nspending, disruption to Government operations, and vulnerability to lawsuits, claims,\nand penalties.\n\n\n\nMicrosoft Enterprise Licensing Agreement Awarded\nto Reduce Costs\nDON showed progress in managing software licenses by awarding a Microsoft ELA7 in\nMay 2012 in accordance with the DON February 2012 memorandum. The ELA allows\nthe DON as well as General Services Administration or other organizations ordering on\nbehalf of DON to place orders for Microsoft software licenses. In addition, according to\nthe memorandum, using the ELA to obtain software will help the DON achieve maximum\ncost savings. The Microsoft ELA is the only ELA the DON has issued to date. According\nto DON CIO personnel, they are adapting the use of ELA contracts for all software\nlicense procurements, as mandated by the February 2012 memorandum, but Microsoft\nwas implemented first because of its wide use throughout the Navy. A proposed list\n\n\n\t7\t\n      The Microsoft ELA is a blanket purchase agreement between DON and a contractor to purchase Microsoft products.\n\n\n\n\n                                                                                                                       DODIG-2013-115 \xe2\x94\x82 5\n\x0cFinding\n\n\n\n                 of 14\xc2\xa0 additional DON ELA opportunities in the February 2012 memorandum included\n                 Cisco, Oracle, Adobe, Symantec, Xerox, and VMware, among others, for future\n                 consideration. The memorandum also stated that the DON CIO would post the projected\n                 award dates of the potential opportunities to an access-controlled website linked to the\n                 CIO website once dates were determined.\n\n                 According to DON CIO personnel, they have determined projected dates for 11 of\n                 the remaining 14 DON ELA opportunities listed in the memorandum and provided a\n                 timeline that reflected six opportunities planned for this fiscal year and five in FY 2014.\n                 Furthermore, they stated that they will not pursue three of the opportunities because they\n                 determined that the opportunities were considered low volume based on initial review.\n\n\n                 Microsoft Enterprise Licensing Agreement Included\n                 Unacceptable Language\n                 The ELA for Microsoft software and associated product use rights document (EULA\n                 equivalent) included unacceptable language in 2 of 11 areas identified as areas of\n                 concern. Specifically, the product use rights document associated with the ELA included\n                 unacceptable language in the areas of embedded third-party software and warranty.\n\n                 The contracting officer that prepared the Microsoft ELA did not consider the risk when\n                 he excluded language that would be in the best interest of the DoD in terms of third-party\n                 embedded software. Specifically, the Microsoft Federal Product Use Rights document,\n                 dated April 2012, attached to the Microsoft ELA stated, with regard to Windows embedded\n                 products, \xe2\x80\x9cDespite anything to the contrary in the Included Microsoft Software Programs\n                 section in the General License Terms, all Windows embedded products are governed\n                 by their own license terms.\xe2\x80\x9d In other words, the DON must not only follow Microsoft\xe2\x80\x99s\n                 licensing terms but also must follow the licensing terms of the third-party vendors\n                 whose products are embedded in Windows.\n\n                 Although the above statement informed the DON they must follow the licensing terms\n                 of third-party vendors, the Products Use Rights did not list the third parties or their\n                 licensing terms. The DoD position in the DoD ESI approved software licensing training\n                 is that DoD must be aware of the third-party software requirements to weigh the risk\n                 to software procurement. The software licensing training also provides examples of\n                 desired language for this situation, which would require the publisher of the software\n\n\n\n\n6 \xe2\x94\x82 DODIG-2013-115\n\x0c                                                                                                                                        Finding\n\n\n\n(in this case Microsoft) to ensure they obtained all necessary third-party licenses. In\naddition, the training suggests language stating that the publisher complies with the\nthird\xe2\x80\x91party licenses and ensures that DoD\xe2\x80\x99s use of the product will not be in conflict with\nthe third\xe2\x80\x91party license. In this instance the vendor should have included language that\nprotected the DoD, as intended by the examples provided in the software licensing training.\nHowever, according to the contracting officer, the existence of embedded software was\nnot recognized as a risk during negotiations and therefore they did not weigh the risk of\nthird-party embedded software prior to awarding the DON Microsoft ELA.\n\nIn addition, the contracting officer accepted warranty disclaimer language in the\nproduct use rights document that was not in the best interest of DON in terms of\nprotecting against potential defects in the software. Specifically, the product use rights\ndocument included, in addition to the limited warranty, a disclaimer of warranties for\nmerchantability,8 fitness for a particular purpose, and satisfactory quality. The software\nlicensing training specifically lists disclaimers of these three warranties in an example of\nunacceptable language when reviewing a disclaimer of warranties clause. However, the\nMicrosoft ELA includes FAR clause 52.212-4, which states that the contractor warrants\nand implies the items delivered are merchantable and fit for use. Additionally, the general\nterms and conditions in the contract state that the provisions of FAR 52.212-4 and the\nELA take precedence over any terms of the product use rights document. Therefore,\nthe FAR\xc2\xa0 52.212-4 warranty provisions for merchantability and fitness for a particular\npurpose would prevail. Neither the provisions of FAR 52.212-4 nor the ELA specifically\nnames satisfactory quality or items such as \xe2\x80\x9caccuracy,\xe2\x80\x9d which is also included in the\nproduct use rights disclaimer. The absence of these warranties imposes the risk on the\nDON that it will have limited recourse if the product fails in these disclaimed areas.\n\nAccording to the contracting officer, the warranty section of the contract was one of\nthe terms and conditions incorporated from the DoD ESI Microsoft blanket purchase\nagreement; DON was not able to negotiate terms that differed from this agreement.\nDON\xc2\xa0 CIO should determine whether it is in the Government\xe2\x80\x99s interest to modify the\nMicrosoft enterprise license agreement regarding warranty and embedded third-party\nsoftware. In addition, the DON CIO should require personnel to include favorable\nwarranty and embedded third-party language when preparing ELAs for the remaining\nsoftware opportunities on the list, such as Cisco, Oracle, and Adobe, or document how\nand why they determined and accepted the risk of not including the language.\n\n\n\n\n\t8\t\n      To disclaim merchantability means the vendor does not guarantee and will deny any claim for a software product that is\n      not marketable or of commercially acceptable quality.\n\n\n\n\n                                                                                                                               DODIG-2013-115 \xe2\x94\x82 7\n\x0cFinding\n\n\n\n                 Non-Enterprise Licensing Agreement Contracts\n                 Did Not Include Best Practice Clauses\n                 The DON could improve the 13 non-ELA contracts reviewed, valued at $8.1 million, by\n                 including language provided in the software licensing training. Specifically, the audit team\n                 reviewed 13 non-ELA software license contracts9 issued by 12 different DON contracting\n                 offices and determined that none contained all the best practice language to ensure the\n                 DON\xe2\x80\x99s best interest was protected.\n\n                 The DON non-ELA software license contracts included\n                 unacceptable language for contract clauses in 7 of the                                                Of the\n                                                                                                                   13 contracts,\n                 11 areas of concern listed in the software licensing                                            none contained\n                 training. For example, of the 13 contracts, none contained                                    acceptable language\n                 acceptable language for warranty, transfer rights, or                                             for warranty,\n                                                                                                                transfer rights, or\n                 termination rights. One contract stated that the vendor is\n                                                                                                                    termination\n                 to provide a minimum 90-day warranty on all performed                                                 rights.\n                 work/upgrades. However, the DoD position referenced in the\n                 software licensing training recommends a warranty that states\n                 the software shall meet specifications and requirements for 1 year from the first day the\n                 product is used. In addition, for transfer rights, the software licensing training refers to\n                 the DoD Buyer Checklist, which states the DoD buyer is to add language in the terms and\n                 conditions of an order allowing for transfer of licenses within an affiliate of DoD or, at a\n                 minimum, within the component (in this instance, DON). However, 12 of the 13 contracts\n                 were silent to transfer rights. The one contract that included transfer rights stated that\n                 the DON component that received the software recognized that the supplied software\n                 was for the sole use of that facility. By both agreeing to terms that restricted sole use to\n                 one facility and without any other terms on transfer rights, the contracts did not allow for\n                 transfer within DoD or DON as the checklist suggests.\n\n                 In addition, at least one contract contained unacceptable language in the areas of\n                 audit rights, click wrap licenses, order of precedence, and installation restrictions. For\n                 example, one contract was silent to both audit rights and click wrap licenses. If a contract\n                 were silent on these two areas, we considered it acceptable as long as the EULA was\n                 also silent, because this would mean there is also no unacceptable language present.\n                 However, the EULA associated with the contract included unacceptable language in both\n                 areas. For example, the EULA contained a statement that it is a legal agreement between\n\n\n                 \t9\t\n                       The audit team reviewed two contracts that were prepared by different contracting officers but issued from the same\n                       contracting office, to verify a consistent pattern of terms.\n\n\n\n\n8 \xe2\x94\x82 DODIG-2013-115\n\x0c                                                                                                               Finding\n\n\n\nan individual or corporation and the vendor; by installing, copying, downloading, or\naccessing the product, the individual or corporation agrees to the terms of the EULA. This\nlanguage is labeled as click wrap and considered unacceptable in the DoD ESI approved\nsoftware licensing training. The complete results of the non-ELA reviews are shown in\nthe table\xc2\xa0below.\n\n             DON Results of Best Practice Language in 13 Non-ELA Contracts Reviewed\n                                  Unacceptable             Acceptable                Desired\n       11 Key Clauses              Language*               Language**              Language***\n Warranty                             13                        0                       0\n Transfer Rights                      13                        0                       0\n Third Party Software                  0                      13                        0\n Audit Rights                          1                      12                        0\n Click Wrap Licenses                   1                      12                        0\n Automatic Renewals                    0                      13                        0\n Termination Rights                   13                        0                       0\n Governing Law                         0                      12                        1\n Order of Precedence                   3                      10                        0\n Installation Restrictions             1                      12                        0\n Virtualization                        0                      13                        0\n   *   Contract contained undesirable language or was silent (adds risk for certain clauses) on key\n       clauses necessary to meet the intent of the best practices.\n  **   Contract did not contain the desired language; however, the contract was either silent\n       (acceptable for certain clauses) or contained comparable language, that was deemed\n       acceptable to meet the intent of the best practices training.\n ***   Contract contained desired language from the best practices training\n\n\nAs shown in the table, the majority of the non-ELA contracts contained language we\ndetermined was acceptable for 8 of the 11 key areas. However, most of these areas we\ndetermined were acceptable because the contract was silent on the area and therefore did\nnot contain unacceptable language. Silence in these areas may help limit possible claims\nor penalties the DoD could otherwise incur when certain language is found in contracts.\nHowever, silence does not help ensure the best interest of the DoD is met as intended\nby the desired language included in the DoD ESI approved software licensing training.\nAlthough we identified issues in the non-ELA contracts, we determined it would not be\nreasonable or efficient to reopen negotiations for these because of the dollar value of the\ncontracts versus the potential cost to renegotiate. In addition, the DON\xe2\x80\x99s movement to\nELAs discussed in the Microsoft section should eventually eliminate or minimize the need\nfor these small contracts.\n\n\n\n\n                                                                                                      DODIG-2013-115 \xe2\x94\x82 9\n\x0cFinding\n\n\n\n                 End User License Agreement Language\n                 Did Not Benefit DoD\n                 None of the eight EULAs reviewed contained appropriate language in all the best practice\n                 areas. Our review of the EULAs associated with the non-ELA contracts showed that all\n                 eight DON contracting officers accepted EULAs that contained unacceptable language\n                 that did not benefit the DoD. Specifically, we reviewed EULAs for 8 of the 13 contracts\n                 reviewed. For the remaining five contracts:\n\n                            \xe2\x80\xa2\t one contracting officer stated that the vendor did not provide a EULA or any\n                               other Software Agreement with the contract but provided an agreement to\n                               the end users with the software;\n\n                            \xe2\x80\xa2\t one contracting officer stated the contractor provided the end user with terms\n                               and conditions after award of the contract but no agreement was received,\n                               reviewed, or approved by the contracting office;\n\n                            \xe2\x80\xa2\t one contracting officer was unsure whether a EULA existed and referred to\n                               the original acceptor of the purchase requisition, who stated that he had no\n                               written agreements with the vendor; and\n\n                            \xe2\x80\xa2\t two contracting officers stated that the vendor did not provide a EULA or\n                               equivalent document outlining the comprehensive agreement between the\n                               Government and publisher or reseller.\n\n                 Acceptable language for warranty, transfer rights, or termination rights, was not found\n                 in any of the eight EULAs reviewed. One EULA, for example, stated that the licensor\n                 warrants that the licensed program will conform to the published specifications for\n                                           180\xc2\xa0days from the date of shipment. This is far less than the best\n                                               practice of 1\xc2\xa0 year from first use of the product, as stated in\n                             Acceptable\n                            language for         the software licensing training.       The remaining EULAs\n                        warranty, transfer         either contained unacceptable language or were silent\n                      rights, or termination       on these three areas. Because it is in the best interest of\n                       rights was not found\n                                                   DoD to have a warranty on software for at least 1 year, to\n                         in any of the eight\n                          EULAs reviewed.         be able to transfer a license within DoD, and to include\n                                                 proper termination rights, we considered it unacceptable\n                                               for EULAs to be silent in these areas.\n\n                 In addition, one contracting officer accepted a EULA that included unacceptable language\n                 for audit rights. Specifically, the EULA stated that during business hours, the vendor may\n                 inspect the facility and records to verify compliance with the EULA for use of the software\n\n\n\n10 \xe2\x94\x82 DODIG-2013-115\n\x0c                                                                                                     Finding\n\n\n\nproduct purchased, throughout the term of service and for 1 year after. If noncompliance\nwas found, the DON organization was required to pay any underpayment amount within\n15 days of receipt of a letter. In addition, if underpayment was more than 5 percent of\nthe amount DON should have paid based on the amount of software DON used, the DON\norganization was required to reimburse the vendor for the amount incurred to conduct\ntheir audit. The DoD position in the software training is that the Government should\nperform self-audits and report the results to the contractor no more than once per year.\n\nAll the EULAs reviewed were silent in the areas of third-party software, click wrap\nlicenses, order of precedence, and virtualization. Because the software licensing training\nprovides examples of language contracting officers should recognize and avoid on these\ntopics, we considered the EULAs silence on these topics to be acceptable.\n\nWe found only two examples of desired language from the software licensing training\nin any of the EULAs reviewed. One EULA contained desired language for automatic\nrenewals and another for governing law.       For example, one EULA stated \xe2\x80\x9cLicensee\n(DON in this case) shall be notified of renewal options in advance of renewal periods.\xe2\x80\x9d\nThe inclusion of this statement in the EULA allows the DON to make a determination\nwhether to renew the software product at the end of the contract period, as opposed to\nautomatically renewing.\n\n\nClauses Specific to Software License Acquisitions Were\nNot Required\nThe Assistant Secretary of the Navy (Research Development and Acquisitions)\n(ASN [RDA]) did not develop or issue guidance on whether to include specific\nclauses in software license contracts; therefore, DON contracts did not include the\nappropriate best practice language. The Under Secretary\nof the Navy issued a memorandum tasking the DON                         The\nto use DoD\xc2\xa0 IT consolidation efforts. In addition,                  ASN (RDA)\nASN (RDA) and DON\xc2\xa0 CIO issued a memorandum                       lacked guidance\n                                                              that included specific\ntasking the DON to use DON ELAs to achieve\n                                                            clauses or required Navy\nmaximum cost savings. However, the ASN\xc2\xa0(RDA)                 organizations to make a\nlacked guidance that included specific clauses              determination on clauses\nor required Navy organizations to make a                   contracting officers should\n                                                              ensure are included in\ndetermination on clauses contracting officers                    software license\nshould ensure are included in software license                      contracts.\ncontracts.   The   DFARS     includes   subparts    that\n\n\n\n\n                                                                                           DODIG-2013-115 \xe2\x94\x82 11\n\x0cFinding\n\n\n\n                 address rights regarding computer software, computer software documentation,\n                 enterprise software agreements, and acquisition procedures.          However, the DFARS\n                 subparts prescribe policy and procedures for acquiring commercial software and\n                 do not include desired, unacceptable, or recommended language for use in software\n                 license contracts. In addition, DFARS Subpart\xc2\xa0 208.7402 instructs DoD departments\n                 and agencies to fulfill requirements for commercial software in accordance with the\n                 DoD ESI. The ESI, however, states only that the Software Buyers Checklist is a starting\n                 point and does not state that departments and agencies must follow it.\n\n\n                 Contracting Officers Did Not Receive and Were Often\n                 Unaware of Specific Training for Writing Software\n                 License Contracts\n                 The contracts also did not include the appropriate best practice language because\n                 contracting officers did not receive the necessary training to gain the specialized\n                 knowledge to write software license contracts properly.            Specifically, 11 of the\n                 13\xc2\xa0contracting officers stated that they had not received specific training for acquiring\n                 software licenses. One contracting officer who had received training stated that he had\n                 ESI training a few years ago while working for the Army but had not taken any other\n                 specific training for acquiring software licenses. The other contracting officer stated that\n                 someone in their office who used ESI extensively provided them with informal training\n                 but that she had not taken any other training. The ASN (RDA) should develop a plan of\n                 action and milestones in conjunction with the DON CIO, to ensure that contracting officers\n                 take software licensing training before issuing any future software license contracts.\n\n                 Software licensing training that included best practice language was available for\n                 contracting officers; however, ASN (RDA) did not require contracting officials to take the\n                 training. The Army CHESS website includes briefing slides with the \xe2\x80\x9cABCs of Software.\xe2\x80\x9d\n                 According to CHESS officials, the goal is to provide website videos and tutorials in the\n                 future. In addition, CHESS officials stated that DoD ESI is supplementing CHESS by offering\n                 a 2-day commercial software training with a chapter on EULAs. However, ASN (RDA)\n                 did not require contracting personnel to view the briefings or take the available training.\n                 According to DON CIO personnel, they were not in a position to mandate this training\n                 to DON contracting personnel, as policies and guidance for the acquisition workforce\n                 are under the authority of the Chief Acquisition Officer. However, DON CIO personnel\n\n\n\n\n12 \xe2\x94\x82 DODIG-2013-115\n\x0c                                                                                                     Finding\n\n\n\nstated that planning was underway to offer training in FY 2013. During a meeting with\nASN\xc2\xa0 (RDA) and DON CIO personnel, they agreed that development of any guidance\ninvolving contracting and software related topics is a joint effort between the two offices.\n\nIn many cases, DON contracting officers were not aware training was available.\nSpecifically, 8 of the 13 contracting officers stated that they were not aware of the\nDoD ESI training or any other training specific to acquiring software\nlicense agreements.     When asked whether they made\ncontracting personnel involved with acquisition of\n                                                                     Specifically,\nsoftware licenses aware of the available training,                   8 of the 13\nDON CIO personnel stated that they mentioned                    contracting officers\nthe availability of the ESI training during the DON           stated that they were\n                                                             not aware of the DoD\xc2\xa0ESI\nInformation Management/IT conference held in                   training or any other\nSan Diego, California, and Virginia Beach, Virginia,             training specific to\nduring a \xe2\x80\x9csoftware licensing themed\xe2\x80\x9d training                    acquiring software\n                                                                license agreements.\nsession. In addition, they stated that the software\nlicensing training content was provided to each student\non CD if they took the Defense Acquisition University Software\nAcquisition Management 301 class.\n\nTrainings were in place to address the acquisition of software licenses; however, the\ntrainings were ineffective if contracting officers were not required to take the training or\nthe DON CIO did not make them aware that the training was available. DON contracting\nofficers were made aware of the available trainings only if they attended one of the DON\nconferences or took the Defense Acquisition University class. The DON CIO\xe2\x80\x99s Director\nof Enterprise Commercial Information Technology Strategy stated that in anticipation of\npotential recommendations from our report, he authorized the posting of the DoD ESI\napproved software licensing training to the DoD ESI webpage in March 2013. We verified\nthat \xe2\x80\x9cSoftware Licensing Training: Acquiring Licenses in These Changing Times\xe2\x80\x9d was\navailable as of March 2013. The DON CIO should develop and issue a memo identifying the\ntypes of training available to contracting officers who prepare software license contracts;\nthis would allow contracting officers to determine the appropriate language needed in\nthe contracts, as well as provide guidance as to acceptable and unacceptable language\nrequired in EULAs. Likewise, the ASN(RDA) should require all DON contracting officers\nwho prepare software license contracts and review EULAs, as well as contracting personnel\nthat review software license or software acquisitions contracts prior to issuance, to take\nspecialized training on using appropriate language in software acquisition contracts.\n\n\n\n\n                                                                                           DODIG-2013-115 \xe2\x94\x82 13\n\x0cFinding\n\n\n\n                 Increased Risk of Wasteful Spending,\n                 Government Disruption, Software Vendor Claims\n                 and Other Related Disputes\n                 The DON increases the risk of wasteful spending, disruption\n                                                                                           Lack\n                 to Government operations, and vulnerability to lawsuits,\n                                                                                       of a proper\n                 claims, and penalties if it does not include appropriate            warranty clause\n                 language in software license contracts that is, geared             could lead to the\n                 to protect the best interests of the DON. For example,        disruption of Government\n                                                                               operations or the need to\n                 when a contract includes unacceptable language,                purchase other software\n                 such as the contract that contained a 90\xe2\x80\x91day                    or software services to\n                 warranty instead of 1 year from the first use of the             improve or continue\n                                                                                       operations.\n                 product, the vendor has no obligation to fix software that\n                 malfunctions after 90 days. This lack of a proper warranty\n                 clause could lead to the disruption of Government operations or the need to purchase\n                 other software or software services to improve or continue operations. In addition to\n                 warranties, the inclusion of unacceptable language or silence in areas such as transfer\n                 rights, termination rights, and audit rights could result in wasteful spending of funds as\n                 well as disruption to Government operations. For example, the contracts that were silent\n                 on transfer rights or that allowed transfer only within the program that purchased it,\n                 could have unused licenses that could fill the needs of another DON program. However,\n                 because the contracts are silent and the EULA does not allow for transfer to other\n                 programs, DON could be forced to purchase additional licenses to meet the needs of\n                 another program instead of using licenses already owned.\n\n                 In addition, when a contracting officer accepts audit terms that allow a vendor to inspect\n                 a DoD facility and records to verify compliance, they risk exposing DoD information and\n                 incurring more costs if DoD must pay for the audit. Further, when vendors are allowed to\n                 establish licensing agreements directly with individual end users rather than negotiating\n                 an overall software licensing agreement with the contracting officer, the risk increases\n                 that software will be misused or improper licensing terms will be accepted. This can\n                 result in vendor claims or disputes with DoD in the future.\n\n\n\n\n14 \xe2\x94\x82 DODIG-2013-115\n\x0c                                                                                                    Finding\n\n\n\nManagement Comments on the Finding and\nOur Response\nManagement Comments on Cost-Saving Efficiencies\nThe DON CIO submitted general comments, stating that the DON CIO identified\nEnterprise\xc2\xa0 Software Licensing as a primary DON efficiency target to achieve\ncost-savings. He stated that through policy and Integrated Product Team actions, the\nefficiency initiative has realized significant progress contributing over $73 million in\ncurrent and projected savings using the two Department-wide ELAs awarded to date.\nHe further stated that as DON continues to establish ELAs, they are implementing\nlessons learned and management best practices including those identified in our\nrecommendations.\n\nOur Response\nWe commend the DON CIO on the efforts taken to lower prices and increase savings\nwithin the DON.\n\n\nRecommendations, Management Comments, and\nOur Responses\nRecommendation 1\nWe recommend that the Assistant Secretary of the Navy (Research, Development\nand\xc2\xa0Acquisition):\n\n        a.\tRequire all Navy contracting personnel involved in preparing and\n           issuing software license contracts to take specialized training that\n           ensures software license contracts include only appropriate language\n           that protects the best interest of the Government.\n\nDeputy Assistant Secretary of the Navy for Acquisition and\nProcurement Comments\nThe Executive Director for the Deputy Assistant Secretary of the Navy for Acquisition\nand Procurement (DASN [AP]) responded for the ASN (RDA) and agreed, stating that the\nDASN (AP) will issue a memorandum requiring Navy contracting personnel involved in\npreparing and awarding software license contracts to take specialized training that ensure\nsoftware license contracts include appropriate language to protect the best interest of the\nGovernment. The Executive Director further stated that DASN (AP) would complete the\nmemorandum for issuance within 30 days after DON CIO identifies the available training\nin accordance with recommendation 2.c.\n\n\n\n                                                                                          DODIG-2013-115 \xe2\x94\x82 15\n\x0cFinding\n\n\n\n                 Our Response\n                 The Executive Director\xe2\x80\x99s comments were responsive, and no additional comments\n                 are\xc2\xa0required.\n\n                         b.\tDevelop a plan of action and milestones in conjunction with the\n                            Department of the Navy Chief Information Officer to ensure that\n                            contracting officers take software licensing training before issuing any\n                            future software license contracts.\n\n                 Deputy Assistant Secretary of the Navy for Acquisition and\n                 Procurement Comments\n                 The Executive Director responded for ASN (RDA) and agreed stating that DASN(AP) will\n                 coordinate with the DON CIO to develop a plan of action and milestones to ensure that\n                 applicable contracting personnel take software licensing training prior to issuing any\n                 future software license contracts. The Executive Director stated that DASN(AP) would\n                 also complete the plan of actions and milestones within 30 days after DON CIO identifies\n                 the dates and types of available training as recommended in recommendation 2.c.\n\n\n                 Our Response\n                 The Executive Director\xe2\x80\x99s comments were responsive, and no additional comments\n                 are\xc2\xa0required.\n\n\n                 Recommendation 2\n                 We recommend that the Department of the Navy Chief Information Officer:\n\n                         a.\tDetermine whether it is in the Government\xe2\x80\x99s interest to modify the\n                            Microsoft enterprise license agreement\xe2\x80\x99s language regarding warranty\n                            and embedded third-party software and take appropriate action.\n\n                 Department of the Navy Chief Information Officer Comments\n                 The Chief Information Officer agreed, stating that the DON CIO, in collaboration with the\n                 ASN (RDA), will review the DON Microsoft ELA, which is currently in its second option\n                 year of a three-option-year agreement, regarding the warranty and embedded third\xe2\x80\x91party\n                 software to assess impact and risk of incorporating this language at this point in the\n                 implementation of the current ELA. The Chief Information Officer further explained that\n                 in conducting the review, the DON will benchmark its DON Microsoft ELA with other\n                 DoD and Federal Agency Microsoft enterprise licenses that are available for review, as\n\n\n\n\n16 \xe2\x94\x82 DODIG-2013-115\n\x0c                                                                                                  Finding\n\n\n\nwell as with DoD ESI Blanket Purchase Agreements and any related Federal Acquisition\nRegulation and General Services Administration Schedule 70 provisions. Following the\nreview, the DON will take appropriate action.\n\n\nOur Response\nThe Chief Information Officer\xe2\x80\x99s comments were responsive, and no additional comments\nare required.\n\n        b.\t Require individuals to include the same or similar language, related to\n           warranty and embedded third-party software, provided in the software\n           license training, when preparing enterprise license agreements for\n           the remaining software opportunities identified in the February 2012\n           memorandum, \xe2\x80\x9cMandatory Use of Department of the Navy Enterprise\n           Licensing Agreements,\xe2\x80\x9d or require the individuals to document how\n           and why they determined and accepted the risk of not including the\n           recommended language.\n\nDepartment of the Navy Chief Information Officer Comments\nThe Chief Information Officer agreed stating that through collaboration between\nASN\xe2\x80\x91(RDA) and DON CIO, the DON plans to incorporate best practices, terms, and\nconditions into future DON ELAs and is building and expanding on its commercial\nsoftware licensing expertise through its multi-organizational and multifunctional\nDON\xc2\xa0Enterprise Software Licensing team. The Chief Information Officer further stated\nthat the DON is participating in DoD-level enterprise software license projects through\nESI that have a focus on EULAs and commercial software licensing best practices. Finally,\nhe stated that in any DON ELAs they will specifically address warranty and embedded\nthird-party software terms and conditions in documentation that provides rationale if a\ndetermination was made not to include the provisions.\n\n\nOur Response\nThe Chief Information Officer\xe2\x80\x99s comments were responsive, and no additional comments\nare required.\n\n        c.\t Develop and issue a memorandum identifying the types of training\xe2\x80\x94\n           providing knowledge to determine the appropriate language needed\n           in the contracts and acceptable and unacceptable language required\n           in End User License Agreements\xe2\x80\x94available to contracting officers who\n           prepare software license contracts.\n\n\n\n\n                                                                                        DODIG-2013-115 \xe2\x94\x82 17\n\x0cFinding\n\n\n\n                 Department of the Navy Chief Information Officer Comments\n                 The Chief Information Officer agreed, stating that the DON CIO, in collaboration with\n                 ASN\xc2\xa0 (RDA), will consult with the Defense Acquisition University to explore enhancing\n                 software licensing content of appropriate course offerings. The Chief Information Officer\n                 further stated that the DON CIO will continue to offer training sessions on topics related\n                 to EULAs and make related training content available via the DON CIO and DoD\xc2\xa0 ESI\n                 websites. Finally, he stated that the DON will conduct market research on available\n                 training on commercial software licensing and communicate availability to ASN (RDA)\n                 and apply appropriate methods to achieve the broadcast awareness by DON contracting\n                 and IT professionals.\n\n\n                 Our Response\n                 The Chief Information Officer\xe2\x80\x99s comments were partially responsive. Although the Chief\n                 Information Officer plans to collaborate with ASN (RDA) to make efforts toward enhancing\n                 training content and will communicate availability of trainings to DON contracting and\n                 IT professionals as well as ASN (RDA), he did not include any timelines to achieve this\n                 broadcast awareness. Because the timeframe that DASN (AP), under the authority\n                 of ASN\xc2\xa0 (RDA), agreed to issue a memorandum requiring Navy contracting personnel\n                 involved in preparing and issuing software license contracts to take specialized training\n                 in Recommendation 1.a. is based on DON CIO identifying the available trainings, it is\n                 critical that the DON CIO sets a reasonable timeline for completing this task. We request\n                 that the Chief Information Officer provide additional comments in response to the final\n                 report that include a timeline for completing the noted tasks and providing awareness\n                 of these opportunities to DON contracting and IT professionals.\n\n\n\n\n18 \xe2\x94\x82 DODIG-2013-115\n\x0c                                                                                                  Appendix\n\n\n\n\nAppendix\nScope and Methodology\nWe conducted this performance audit from July 2012 through May 2013 in accordance\nwith generally accepted Government auditing standards. These standards require that\nwe plan and perform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objective. We believe\nthat the evidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objective.\n\nWe conducted this audit to determine if the DON included appropriate clauses in software\nprocurement contracts. We focused our audit on commercial off-the-shelf software\ncontracts issued by the DON in order to review the contract writing practices of DON\ncontracting offices. We selected a nonstatistical sample of Navy contracts active in\nFY 2012: 1 ELA contract and 13 non-ELA contracts. We received assistance from the\nQuantitative Methods Division in selecting this nonstatistical sample.\n\nWe conducted our review using the most current version of the Army CHESS training,\nwhich DoD ESI modified and Army CHESS issued in September 2012 under the name,\n\xe2\x80\x9cSoftware that Goes Bump in the Night Brief.\xe2\x80\x9d Based on the DoD ESI and CHESS level\nof expertise, we considered the best practices listed in the \xe2\x80\x9cSoftware that Goes Bump in\nthe Night Brief\xe2\x80\x9d training to be reasonable. We did not perform any tests to determine if\nthe best practices were sufficient to protect the Government\xe2\x80\x99s best interest fully when\nacquiring software licenses.\n\nThe \xe2\x80\x9cSoftware that Goes Bump in the Night Brief\xe2\x80\x9d training presents the top 11 most\noccurring areas of concern regarding the acquisition of software licenses. It discusses the\nsuggested DoD ESI\xe2\x80\x99s Buyer Checklist requirement for each of the 11 areas and includes\nexamples of acceptable and unacceptable language to look for in contracts and EULAs for\neach area. For each contract, we reviewed the base contract and the EULA (or equivalent\ndocument) provided by the contracting officer, to ensure the contract files included the\ndesirable language and excluded unacceptable language in accordance with each of these\n11 areas of concern. Specifically, for all identified language applicable to the 11 areas of\nconcern, the audit team would refer back to the \xe2\x80\x9cSoftware that Goes Bump in the Night\nBrief\xe2\x80\x9d training to verify whether the included language was desirable, acceptable, or\nunacceptable. When we found a contract that was silent in any of the 11 areas, we would\n\n\n\n\n                                                                                           DODIG-2013-115 \xe2\x94\x82 19\n\x0cAppendix\n\n\n\n                 assess whether it was acceptable or unacceptable for that area to be silent by determining\n                 whether it was in the Government\xe2\x80\x99s best interest to address the areas in the contract based\n                 on the stated best practice for that specific topic. We made the following determinations:\n\n                          \xe2\x80\xa2\t Desirable: Contract documents that included the desirable language per\n                            the examples provided in the \xe2\x80\x9cSoftware that Goes Bump in the Night Brief\xe2\x80\x9d\n                            training for the 11 reviewed areas of concern.\n\n                          \xe2\x80\xa2\t Acceptable: Contract documents that were silent (no language included) to\n                            the areas of concern: Third-party software (embedded), audit rights, click\n                            wrap license, automatic renewals, governing law, installation restrictions,\n                            and virtualization. When a contract did not include unacceptable language\n                            for these specific areas of concern, we determined that the Government was\n                            not required to perform under those unacceptable terms. Therefore, because\n                            the contract documents were completely silent to these specific areas, they\n                            were\xc2\xa0acceptable.\n\n                          \xe2\x80\xa2\t Unacceptable: Contract documents that were silent (no language included)\n                            to the areas of concern: Warranty, transfer rights, termination rights, and order\n                            of precedence (acceptable for EULA to be silent). Also in this category are the\n                            contract documents that included unacceptable language per the examples\n                            provided in the \xe2\x80\x9cSoftware that Goes Bump in the Night Brief\xe2\x80\x9d training for the\n                            11 reviewed areas of concern.\n\n                 Use of Computer-Processed Data\n                 We did not use computer-processed data to perform this audit.\n\n\n                 Use of Technical Assistance\n                 We obtained support from the DoD Office of Inspector General Quantitative Methods\n                 Division on sampling methodology. Considering the lack of a Navy Software Licensing\n                 Contracts\xe2\x80\x99 database, Quantitative Methods Division assisted the audit team in formulating\n                 the steps necessary to select a nonstatistical sample for review.\n\n\n                 Prior Coverage\n                 No prior coverage has been conducted on the Navy, including appropriate clauses in\n                 software procurement contracts, during the last 5 years.\n\n\n\n\n20 \xe2\x94\x82 DODIG-2013-115\n\x0c                                                 Management Comments\n\n\n\n\nManagement Comments\nDeputy Assistant Secretary of the Navy for Acquisition\nand Procurement\n\n\n\n\n                                                         DODIG-2013-115 \xe2\x94\x82 21\n\x0cManagement Comments\n\n\n\n                 Deputy Assistant Secretary of the Navy for Acquisition\n                 and Procurement (cont\xe2\x80\x99d)\n\n\n\n\n22 \xe2\x94\x82 DODIG-2013-115\n\x0c                                                   Management Comments\n\n\n\nDepartment of the Navy Chief Information Officer\n\n\n\n\n                                                         DODIG-2013-115 \xe2\x94\x82 23\n\x0cManagement Comments\n\n\n\n                 Department of the Navy Chief Information Officer\n                 (cont\xe2\x80\x99d)\n\n\n\n\n24 \xe2\x94\x82 DODIG-2013-115\n\x0c                                                   Management Comments\n\n\n\nDepartment of the Navy Chief Information Officer\n(cont\xe2\x80\x99d)\n\n\n\n\n                                                         DODIG-2013-115 \xe2\x94\x82 25\n\x0cAcronyms and Abbreviations\n\n\n\n\n                 Acronyms and Abbreviations\n                      ASN (RDA) Assistant Secretary of the Navy (Research, Development, and Acquisition)\n                            CIO Chief Information Officer\n                          CHESS Computer Hardware Enterprise Software and Solutions\n                      DASN (AP) Deputy Assistant Secretary of the Navy (Acquisition and Procurement)\n                         DFARS Defense Federal Acquisition Regulation Supplement\n                           DON Department of the Navy\n                            ELA Enterprise Licensing Agreement\n                             ESI Enterprise Software Initiative\n                           EULA End User License Agreement\n                            FAR Federal Acquisition Regulation\n                              IT Information Technology\n\n\n\n\n26 \xe2\x94\x82 DODIG-2013-115\n\x0c            Whistleblower Protection\n           U.S. Department of Defense\nThe Whistleblower Protection Enhancement Act of 2012 requires\nthe Inspector General to designate a Whistleblower Protection\nOmbudsman to educate agency employees about prohibitions on\nretaliation, and rights and remedies against retaliation for protected\ndisclosures. The designated ombudsman is the DoD IG Director for\nWhistleblowing & Transparency. For more information on your rights\nand remedies against retaliation, go to the Whistleblower webpage at\n              www.dodig.mil/programs/whistleblower.\n\n\n\n\n   For more information about DoD IG\n  reports or activities, please contact us:\n                       Congressional Liaison\n                Congressional@dodig.mil; 703.604.8324\n\n                            DoD Hotline\n                            800.424.9098\n\n                             Media Contact\n                Public.Affairs@dodig.mil; 703.604.8324\n\n                         Monthly Update\n                 dodigconnect-request@listserve.com\n\n                        Reports Mailing List\n                  dodig_report-request@listserve.com\n\n                               Twitter\n                         twitter.com/DoD_IG\n\x0cD E PA R T M E N T O F D E F E N S E \xe2\x94\x82 I N S P E C T O R G E N E R A L\n                     4800 Mark Center Drive\n                   Alexandria, VA 22350-1500\n                         www.dodig.mil\n                 Defense Hotline 1.800.424.9098\n\x0c'